Posted by Tomas Zubov, Last modified by Tomas Zubov on 21 April 2014 12:29 PM
Major vulnerability CVE-2014-0160 has been discovered in the open-source OpenSSL library TLS extension, which allows attackers to obtain server private keys, and thus decrypt sensitive data in SSL communication between server and end users. IceWarp 11.0.0 for Windows and possibly all IceWarp Linux distributions are affected and can be vulnerable, unless patched with the newly released version of OpenSSL 1.0.1g.
Related OpenSSL security advisory:
For detailed information see:
Online test for vulnerability (see also FAQ/status):
IceWarp customers should immediately apply the patch to their systems as follows.
IceWarp for Windows 11.0.0 32-bit
Please download the the latest version of IceWarp "11.0.0 build 3" from 8th April 2014 (or newer) from http://www.icewarp.com/downloads/public/ and install this version over your current installation.
Or download and apply the patch from http://www.icewarp.com/download/patches/openssl/2014/icewarp32.zip
IceWarp for Windows 11.0.0 64-bit
Please download the the latest version of IceWarp "11.0.0 build 3" from 8th April 2014 (or newer) from
Or download and apply the patch from http://www.icewarp.com/download/patches/openssl/2014/icewarp64.zip
IceWarp for Windows 10.4.5 (and older)
These versions are NOT affected (OpenSSL 0.9.8 branch is not vulnerable).
IceWarp for Linux (all versions)
On Linux, IceWarp is using the system's own OpenSSL libraries. Ensure that OpenSSL in your operating system is updated to the latest version (already available in all distributions).
Installing the patch for Windows
1. Download the patch (32-bit or 64-bit version) from the link above.
2. Stop all IceWarp services.
3. Extract the dll files and copy them to the root folder of your IceWarp installation.
4. Start all IceWarp services.
Regenerating SSL Certificates
There is theoretical possibility the server's private key could have been read by an attacker. Customers who were vulnerable should therefore replace their server SSL certificate. If you are using a self-signed certificate, just generate a new one in console - Certificates - Create CSR/Certificate and set it as the default one. If you have a CA-issued certificate, please contact your CA, most offer a free replacement. If you have IceWarp CA issued certificate (paid for), please contact firstname.lastname@example.org and we will issue a free replacement with the same validity.
Instructions for non-IceWarp users
Before the OpenSSL libraries are updated in other Windows programs, IceWarp provides a patch version of OpenSSL 1.0.1g library for Windows (libeay32.dll, ssleay32.dll) to general public as a courtesy to all internet users: